How to Configure SSL in RabbitMQ for Secure Messaging
To configure
SSL in RabbitMQ, you need to generate TLS certificates and update the rabbitmq.conf file with paths to these certificates under the listeners.ssl.default and ssl_options settings. Then restart RabbitMQ to enable encrypted communication over SSL/TLS.Syntax
The main configuration for SSL in RabbitMQ is done in the rabbitmq.conf file. Key settings include:
listeners.ssl.default: Port number for SSL connections.ssl_options.cacertfile: Path to the CA certificate file.ssl_options.certfile: Path to the server certificate file.ssl_options.keyfile: Path to the server private key file.ssl_options.verify: Client verification mode (e.g.,verify_peer).ssl_options.fail_if_no_peer_cert: Whether to fail if client cert is missing.
ini
listeners.ssl.default = 5671 ssl_options.cacertfile = /path/to/ca_certificate.pem ssl_options.certfile = /path/to/server_certificate.pem ssl_options.keyfile = /path/to/server_key.pem ssl_options.verify = verify_peer ssl_options.fail_if_no_peer_cert = true
Example
This example shows a complete rabbitmq.conf snippet to enable SSL on port 5671 using self-signed certificates. It configures RabbitMQ to require client certificate verification for secure communication.
ini
listeners.ssl.default = 5671 ssl_options.cacertfile = /etc/rabbitmq/ssl/ca_certificate.pem ssl_options.certfile = /etc/rabbitmq/ssl/server_certificate.pem ssl_options.keyfile = /etc/rabbitmq/ssl/server_key.pem ssl_options.verify = verify_peer ssl_options.fail_if_no_peer_cert = true # Optional: disable non-SSL listeners listeners.tcp.default = none
Output
2024-06-01 12:00:00.000 [info] SSL listener started on port 5671
2024-06-01 12:00:00.001 [info] RabbitMQ is running with SSL enabled
Common Pitfalls
Common mistakes when configuring SSL in RabbitMQ include:
- Incorrect file paths for certificates or keys causing RabbitMQ to fail on startup.
- Using certificates without proper permissions, making them unreadable by RabbitMQ.
- Not setting
listeners.tcp.default = noneto disable unencrypted ports, which leaves unsecured access open. - Forgetting to restart RabbitMQ after configuration changes.
- Misconfiguring
ssl_options.verifyleading to unexpected client connection failures.
ini
## Wrong: Missing or wrong cert file path ssl_options.certfile = /wrong/path/server_certificate.pem ## Right: Correct cert file path ssl_options.certfile = /etc/rabbitmq/ssl/server_certificate.pem
Quick Reference
| Setting | Description | Example Value |
|---|---|---|
| listeners.ssl.default | Port for SSL connections | 5671 |
| ssl_options.cacertfile | Path to CA certificate | /etc/rabbitmq/ssl/ca_certificate.pem |
| ssl_options.certfile | Path to server certificate | /etc/rabbitmq/ssl/server_certificate.pem |
| ssl_options.keyfile | Path to server private key | /etc/rabbitmq/ssl/server_key.pem |
| ssl_options.verify | Client cert verification mode | verify_peer |
| ssl_options.fail_if_no_peer_cert | Fail if client cert missing | true |
| listeners.tcp.default | Disable non-SSL listener | none |
Key Takeaways
Generate valid TLS certificates before configuring RabbitMQ SSL settings.
Set
listeners.ssl.default to enable SSL on the desired port (usually 5671).Configure
ssl_options with correct paths to CA, server cert, and key files.Disable non-SSL listeners to enforce secure connections.
Always restart RabbitMQ after changing SSL configuration.